Privacy Ninja

QNAP Alerts NAS Customers of New DeadBolt Ransomware Attacks

QNAP Alerts NAS Customers of New DeadBolt Ransomware Attacks

Taiwan-based network-attached storage (NAS) maker QNAP warned customers on Thursday to secure their devices against attacks pushing DeadBolt ransomware payloads.

The company asked users to update their NAS devices to the latest software version and ensure that they’re not exposed to remote access over the Internet.

“According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series,” the NAS maker said.

“QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet.”

Also Read: November 2021 PDPC Incidents and Undertaking: Lessons from the Cases

This warning comes after another one about ransomware targeting Internet-exposed NAS devices published in January.

QNAP advised customers with public-facing devices to take the following actions to block potential attacks:

  • Disable the Port Forwarding function of the router: Go to the management interface of your router, check the Virtual Server, NAT, or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 433 by default).
  • Disable the UPnP function of the QNAP NAS: Go to myQNAPcloud on the QTS menu, click the “Auto Router Configuration,” and unselect “Enable UPnP Port forwarding.”

The NAS maker also provides detailed steps on how to toggle off SSH and Telnet connections, change the system port number, change device passwords, and enable IP and account access protection.

In April, QNAP also urged NAS users to disable Universal Plug and Play (UPnP) port forwarding on their routers to prevent exposing them to attacks from the Internet.

Those who need access to NAS devices without direct access to the Internet are advised to enable their router’s VPN feature (if available), use the myQNAPcloud Link service, and the VPN server on QNAP devices provided by the QVPN Service app, or the QuWAN SD-WAN solution.

With QNAP devices also being targeted by other ransomware families such as Qlocker and eCh0raix, all owners should immediately take the above measures to secure their data from future attacks.

DeadBolt ransomware

First spotted in attacks targeting QNAP NAS devices in late January, DeadBolt ransomware hijacks the QNAP device’s login page to display a screen stating, “WARNING: Your files have been locked by DeadBolt.”

Once deployed on a NAS device, this ransomware uses AES128 to encrypt files, appending a .deadboltextension to their names.

DeadBolt also replaces the /home/httpd/index.html file so that victims will see the ransom screen when accessing the compromised device.

After the ransom is paid, the threat actors create a bitcoin transaction to the same bitcoin ransom address containing the decryption key for the victim (the decryption key can be found under the OP_RETURN output).

Also Read: The importance of penetration testing for businesses

DeadBolt ransom note and instructions
DeadBolt ransom note and instructions (BleepingComputer)

Ransomware expert Michael Gillespie has created a free Windows decryptor that can help decrypt files without using the ransomware executable.

However, QNAP owners hit by DeadBolt ransomware will need to pay the ransom to get a valid decryption key.

DeadBolt ransomware returned in February in another campaign targeting ASUSTOR NAS devices and allegedly using a zero-day vulnerability.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us